Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0
Opened: Aug 26, 2016 Severity: 3-Major
If you disable proxy-support inside a v1 ike-peer, the config will not work because the racoon daemon cannot send proper identifying information to tmm in a GETSPI request. (The source appears to be localhost 127.0.0.1, which does not identify the peer, so no SPI can be allocated.)
IPsec tunnels for IKEv1 cannot be established when proxy-support is disabled in the racoon daemon.
In a v1 ike-peer, disable proxy-support.
Enable proxy-support in the ike-peer config definition. Note: In a v1 ike-peer, proxy-support must be enabled for a v1 peer to work. This is the default value, and should not be changed.
On the responder side, a logged line will say 'check IKE-PEER proxy support' in part of the message, to explains GETSPI failure, as a suggestion to fix this in the ike-peer config.